Check Point Research has published its second annual AI Security Report, documenting what it calls a decisive shift in how artificial intelligence is used in cyberattacks: AI is no longer simply accelerating existing techniques; it is now directly executing intrusions with minimal human direction.
The report is built on incident data, telemetry and original case studies gathered over the past twelve months, and its central finding is a change in degree that the authors argue amounts to a change in kind. Where AI previously functioned as a force multiplier, drafting phishing lures or debugging exploit code, Check Point Research says it has now, in several documented cases, run the mechanics of an intrusion end-to-end.
A single operator, thousands of AI-executed commands
The clearest example cited in the report is a breach affecting nine Mexican government agencies between late December 2025 and mid-February 2026, exposing roughly 400 million records spanning tax, civil registry, vehicle, patient, and electoral data. Researchers reconstructed the operation from the attacker’s own servers and found that 1,088 typed instructions from a single operator produced 5,317 AI-executed commands across 34 separate sessions.
The attacker reportedly ran two AI tools in tandem: Claude Code to actively probe and move through the networks, and GPT-4.1 to analyse exfiltrated data and feed follow-up instructions back into further Claude sessions. When Claude initially declined to assist, the attacker pasted a penetration-testing cheat sheet into a CLAUDE.md configuration file, a project file that coding agents read and treat as authoritative at the start of every session, allowing the bypass to persist automatically without a repeated jailbreak prompt.
The report links this to a separate case disclosed by Anthropic in November 2025 involving GTG-1002, a Chinese-linked espionage campaign in which the vendor said its own Claude Code agent handled an estimated 80 to 90 percent of tactical work, including reconnaissance, exploitation, credential harvesting and lateral movement, across roughly 30 target organisations.
Prompt injection detections up fivefold
Check Point AI Security telemetry cited in the report shows detections of long, malicious prompt-injection payloads rising roughly fivefold between March and May 2026, approaching 1% of all observed prompts by May. The report links this trend to the growth of agentic workflows that ingest large blocks of external content, web pages, documents, and tool outputs, which is precisely where indirect prompt injection conceals itself.
Check Point AI Security Research also examined the software supply chain around coding agents. Scanning roughly 46,500 published code packages, researchers found a local Claude Code settings file had been accidentally published in 428 of them, with live credentials, including NPM tokens and GitHub and Hugging Face keys, present in around one in 13 of those. Separately, the team identified security weaknesses in 40% of 10,000 Model Context Protocol (MCP) servers reviewed.
The report also documents two vulnerabilities Check Point Research disclosed in Claude Code project files, tracked as CVE-2025-59536 and CVE-2026-21852, which allowed attacker-controlled configuration files to execute commands or silently start a malicious MCP server the moment a developer opened a project. Both were patched, but the report notes the same automatic-trust design pattern is shared by several other coding assistants, including Cursor, Windsurf and GitHub Copilot.
Vulnerability research and the compressed patch window
The report highlights AI’s growing role in vulnerability discovery, citing Anthropic’s Project Glasswing, an internal research effort in which the unreleased Claude Mythos Preview model autonomously identified more than 10,000 high- and critical-severity zero-day vulnerabilities across major operating systems and browsers in its first month, producing a working exploit on the first attempt in roughly 83% of cases.
Check Point Research argues the same capability curve applies to attackers, and points to CISA’s binding directive requiring US federal civilian agencies to remediate certain high-risk vulnerabilities within three days of disclosure, and India’s CERT-In advisory recommending critical, internet-facing systems be patched within 12 hours, as evidence that the industry’s remediation timelines are already being forced to compress.
Identity verification under strain
A separate section of the report addresses synthetic identity. In a controlled study cited by Check Point Research, people trained specifically to detect AI-generated faces correctly identified only around 41% of them; untrained viewers identified roughly 30%. The report argues that voice, face, documents and live video can no longer function as standalone proof of identity, and recommends organisations shift toward verification methods that combine separate trusted channels, secure digital credentials and stronger live-verification checks.
Enterprise exposure outpacing governance
On enterprise AI use, Check Point data shows the average number of prompts per user grew from 56 in December 2025 to 70 in May 2026, a 25% increase, while organisations used an average of 10 different AI applications a month. The proportion of high-risk prompts, those containing sensitive corporate, personal or regulated data sent to external AI services, doubled from 2% to 4% over the same period. Between 87% and 93% of organisations had at least one high-risk GenAI interaction every month.
Business Services recorded the highest sector rate, with high-risk prompts climbing from 5.50% in January to 6.98% in May, a 27% increase in five months. Regionally, Europe recorded the highest rate of any region at 3.95%, ahead of Latin America (3.76%) and North America (3.33%).
Vendor response
Lotem Finkelstein, Vice President of Check Point Research, said the shift documented this year is more significant than the force-multiplier framing used in previous reports.
“AI has crossed into the live attack chain,” Finkelstein said, adding that the expertise barrier separating capable attackers from the rest of the field is disappearing.
The report sets out Check Point’s response across three areas it terms Security for AI, Security by AI and Security with AI, covering AI agent governance and red-teaming, ThreatCloud AI-powered threat prevention, and workforce-level visibility and data-loss prevention for GenAI use, delivered respectively through its AI Agent Security, AI Red Teaming, ThreatCloud AI and Workforce AI Security products.
The full Annual AI Security Report 2026 is available here.




